OS X Yosemite and El Capitan Kerberos

At one point in time, I used MIT Kerberos extensively throughout my workplace environment. LDAP was extended to use GSS-API and was extremely useful until this:

$ kinit [email protected]
[email protected]'s Password:
kinit: krb5_get_init_creds: Preauth required but no preauth options send by KDC

The above started happening after I upgraded to OS X Yosemite where Apple basically stopped supporting weak DES and RC4 encryption types on their Kerberos implementation shipped on 10.10 and future OS versions; and rightfully so.

I love this part…

By 2008, commercial hardware costing less than USD 15,000 could break DES keys in less than a day on average. DES is long past its sell-by date.

You can probably do it these days for about $2.60/hour

To get back the functionality on Yosemite without the necessary update on the KDC side (however recommended), follow these steps:

  1. Install Homebrew
  2. brew install Caskroom/cask/xquartz
  3. brew install homebrew/dupes/heimdal

You should now have your ability to kinit back… for now…

$ /usr/local/Cellar/heimdal/1.6rc2_1/bin/kinit [email protected]
[email protected]'s Password:
$ klist
Credentials cache: API:A5DE7730-A162-40ED-B44A-643C6B962C6F
Principal: [email protected]

Issued Expires Principal
Apr 7 21:01:05 2016 Apr 8 07:01:05 2016 krbtgt/[email protected]